What is U.S.-EU Safe Harbor?

What is U.S.-EU Safe Harbor law? The U.S.-European Union Safe Harbor Program is a streamlined process for US companies to comply with the EU Data Protection Directive of 1998 on maintaining the privacy and integrity of personal data. Different from HIPAA, PCI and SOX compliance requirements, the Safe Harbor program framework was developed by the U.S. Department of Commerce in 2000 in consultation with the European Commission on Data Protection.

As a secure hosting provider with services such as cloud hosting, colocation and managed servers, we care about following Safe Harbor principles in order to comply with the data privacy laws for all European nations. Although businesses in Europe and the U.S. both collect and retain personal information about their customers, including social security and credit card numbers, they do have differences in their regulations and policies regarding personal data – Safe Harbor bridges the gap

Safe Harbor was created to allow businesses to transfer consumer data between the U.S. and the EU, according to SBA.gov, meaning any U.S. businesses that intend to do business with countries in the EU could benefit from meeting compliance (including import, export or consumer data exchange). Benefit meaning, avoid interruptions in business dealings with the EU or “facing prosecution by EU member state authorities under EU member state privacy laws,” according to Export.gov.

With streamlined and cost-effective compliance requirements, the program benefits small and medium enterprises – businesses can even self-certify within the framework provided by the Dept. of Commerce.

So what are the actual requirements of Safe Harbor? There are seven Safe Harbor Privacy Principles, as derived from the Dept. of Commerce:

1. Notice – This requires organizations to notify individuals about why they collect information and use information about them. Organizations must provide contact information about how they can be reached with inquiries or complaints; the types of third parties they share information with; and their reasoning behind limiting its use and disclosure.

2. Choice – Organizations must allow individuals the choice to opt out of sharing their information with a third party or if used for a different purpose than which it was originally collected.

3. Onward Transfer (Transfers to Third Parties) – The first two requirements (notice and choice) must be met before disclosing information to a third party. The third party must meet Safe Harbor Privacy Principles. As an alternative, the organization can also have a written agreement with the third party that requires they provide at least the same level of privacy as required by relevant principles.

4. Access – Organizations must allow individuals access to their personal information that is collected by the organization. They should also be allowed to change or delete the information if inaccurate.

5. Security – Organizations must protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.

6. Data Integrity – Organizations must take reasonable steps to ensure data is reliable for its intended use, as well as accurate, complete and current.

7. Enforcement – Organizations must set up a way to enforce the above principles, including a way that individuals’ complaints and disputes can be investigated; procedures for verifying Safe Harbor Privacy Principles have been implemented; and an obligation to solve the failure to meet the principles.

There is another Safe Harbor Program specifically applicable to the U.S. and Switzerland; the US-Swiss Safe Harbor Program.

Stay tuned for more Safe Harbor information!

References:
Safe Harbor Program; Data Privacy Laws When Doing Business in the EU
The U.S.-EU Safe Harbor Guide to Self-Certification (PDF)